Rooting for data
Root the Box’s efforts so far constitute minor nuisances
Visitors to the University’s homepage Monday evening found themselves faced with a blurry image of a white skull. The page rerouted to the Twitter account of an anonymous group of hackers, under the handle @R00tTh3B0x.
The hackers battled with the University’s Information Technology Services for control of virginia.edu for nearly an hour. Ultimately the University fought off the cyber attack, and the site returned to normal.
All the while @R00tTh3B0x issued menacing tweets from its unidentified account. The account proclaimed a vendetta against ITS and three University scientists who last month earned a $40,000 grant to fight hacking, and it warned online onlookers that it planned to search University email accounts.
The hackers operating the account said in a Twitter interview Monday evening that they had no ties to the University or to the official Root the Box hacking challenge, which aims to teach participants about information security. But the initial claim that @R00tTh3B0x is unaffiliated with the University turned out to be probably false. The account tweeted Tuesday around 10 p.m.: “The UVa hasn’t changed a bit since I attended.” The claim was not much of a surprise. For an ad hoc hacker to target the University would be odd. Surely there are private companies with weaker online defense systems and more valuable data to seize, or government agencies that would suffer more embarrassment from a successful cyber attack.
Tuesday evening the hackers made an appearance again on virginia.edu, once more redirecting users to the @R00tTh3B0x twitter account. Nearly an hour later, after the University had regained control of its site, the web commandeers tweeted: “Virginia, this is your FINAL chance. Acknowledgement, otherwise you will be continuously attacked, and confidential data will be released.”
@R00tTh3B0x, looming behind its white-skulled icon, aims to scare. And though hacking is violence of a sterile, electronic sort, it is alarming nonetheless. Cyber attacks remind us of the fragile position the majority of web users occupy. Apart from a few specialists, most people know little about the web’s inner workings. Which is unfortunate — because for a certain population group, such as the people likely to store data on the University’s servers, information is a valuable commodity.
But so far @R00tTh3B0x’s threats to invade personal email accounts and seize confidential information are empty.
Though its actions sparked an online uproar, including hundreds of frantic tweets and a mention in The Washington Post, all R00tTh3B0x has done is redirect a web domain. Virginia.edu, the central hub of the University’s online presence, is an important page to keep secure. But R00tTh3B0x has not jeopardized the site’s security in any meaningful way. It did not compromise SIS, a portal on which students store sensitive financial information. And it did not circumvent Gmail’s notoriously tight security to hack into personal email accounts.
If R00tTh3B0x had been able to realize its threat of searching personal email accounts, it would likely have broadcasted its achievement to increase the amount of concern it generated. Defacing the University’s homepage demands much less sophisticated technological expertise than hacking into data storage systems. It is the equivalent of spray-painting a wall, as opposed to breaking into a safe. R00tTh3B0x’s actions constitute little more than minor annoyances.
Information security infrastructure can be prohibitively expensive, and ITS has done well making do with the resources it has. We commend the department for its prompt and successful defense of the University’s website. The ongoing cyber-skirmish provides a reminder of the importance of strong data protection for the University, particularly as the school expands its online-learning ventures. The school’s information-technology branch is typically invisible, unless a problem arises. That’s how it should be. But we mustn’t forget the crucial role ITS plays in keeping our information safe from prying eyes, and greedy fingers. We hope the department roots out this current annoyance quickly, and ends this online boxing match by knocking the hackers cold.